What’s New

This article provides an overview of new features which have been added to NHSmail Intune recently in order to enhance user experience and / or the security of the platform. This article will be updated periodically as and when additional new features are added.

Bring Your Own (BYO) Device Security Controls:

The NHSmail Bring Your Own (BYO) Device Security Controls solution is now available for organisations to adopt. The solution provides security controls for your organisation’s Bring Your Own (BYO) devices that access NHSmail Office 365 services.

BYO devices are defined as desktops / laptops and mobiles that are personally owned and unmanaged, or corporate owned and unmanaged, i.e. not enrolled into Intune. The BYO device security controls can help your organisation manage security risks associated with unmanaged devices.

If you are interested in the solution and would like further information, please review the Bring Your Own Device Security Controls guidance here.

Microsoft Store Repository:

The Microsoft Store Repository is now available on NHSmail Intune.

The Microsoft Store Repository allows organisations a flexible way to access and deploy apps. You can choose the best distribution method for your organisation, for example directly assigning apps to individuals and teams, and publish apps.

Admins can browse, deploy, and monitor Microsoft Store applications inside Intune. Upon deployment, Intune automatically keeps the apps up to date when a new version becomes available. The Microsoft Store supports UWP apps, desktop apps packaged in. msix, and now Win32 apps packaged in .exe or .msi installers.

Note that the following capabilities aren’t currently supported by new Microsoft Store Repository apps:

  1. Ability to install Microsoft Store apps during Enrolment Status Page. Apps deployed using Microsoft Store app will install after enrolment status page has completed.
  2. Device provisioning of Microsoft Store UniversalWindows Platform (UWP) applications are not supported.
  3. Any app that has an ARM64 installer is not supported.

From March 2023, new assignments will have to be created from the new Microsoft Store Repository to users and devices.


The end user will not be impacted, deployed apps will still work, and Microsoft will not trigger any removal or install of the app if it is already present on the device.

What do I need to do to have apps I installed from the Microsoft Store for Business remain up-to-date and manageable?

Apps that are already installed on devices will continue to work for users. To continue to service the apps, an NHSMail Local Administrator will need to create a new assignment of those apps using the new Store from the Apps blade in Endpoint Manager. This will not force any reinstall of the app, just reconnect the app from the employee’s device to your Endpoint Manager app list.

What is the process to migrate existing Microsoft Store for Business applications over to the new solution?

There is no client migration or device changes required for previously installed apps. On the admin side, you will need to recreate and reassign applications to user and/or device groups and recreate role-based access control assignments that were previously created for individual Store for Business applications.

What should I be doing right now to be ready for the transition?

Identify those business-critical apps that you have deployed through the Microsoft Store for Business, understand how they are being used in your environment, and plan to recreate the app in the Endpoint Manager console and reassign. Existing legacy store assignments continue to work; new deployments will proceed according to your group assignments.


Only Apps marked as type ‘Microsoft Store App (legacy)’ require the above transitioning process. Any recently created apps showing as ‘Microsoft Store App’ type only should not be remediated.

Supporting guidance is available in the NHSmail Intune LA Operations Guide.

Read-Only RBAC Role:

The Read-Only RBAC role is a new role introduced into Intune to allow organisations to provide specific users with a ‘Read-Only’ type role for the Intune user interface.

‘Read-Only’ Users who are provided this role will have broad visibility of configurations and devices for an organisation, without the ability to add, create, modify, or delete items.

Key Changes for Local Organisations

No changes are required to any existing configurations created by your organisation.

The guidance to add a user to the Read-Only RBAC Role is available in the NHSmail Intune LA Operations Guide.

Zebra Mobility Extension:

Zebra Mobility Extensions (MX) is an existing Intune feature to allow local organisations to allow the automated configuration of Zebra and Samsung ruggedised devices.

Zebra OEMConfig is Zebra’s OEM-specific application that conforms to the OEMConfig model. It provides access to Zebra-specific and privileged functions via Managed Configurations exposed by the Zebra OEMConfig application.

OEMConfig is a Google-sanctioned, standards-based approach for an OEM to extend the capabilities of an Android Enterprise (AE) Device Owner (DO) Device Policy Controller (DPC) running on an Android device by using an OEM-provided application. This app exposes Managed Configurations to access OEM-specific and privileged functions that are not provided via standard Android Enterprise APIs, such as the DevicePolicyManager.

Read More about Zebra OEM Config HERE

Information about how to configure Zebra OEMConfig is available in the NHSmail Intune LA Operations Guide

Autopilot Manufacturer Provisioning:

Autopilot Manufacturer Provisioning is now available to organisations on the Intune platform, that use Dell devices.
This means that organisations can import new devices that have been procured from the OEM (original equipment manufacturer).


In up-coming releases, further vendors/manufacturers will become supported by the Autopilot provisioning process.

To request a new OEM/VAR vendor to be added to support your organisation, please raise a service request to the NHSmail Intune team.

Key Changes for organisations 

Autopilot Pre-Provisioning, formerly known as ‘white glove’, is a process that helps organisations provision devices by using a custom preinstalled OEM Image. The provisioning process is split between the OEM and the end user. The end user completes a few necessary settings and policies and can begin using their device. The time-consuming tasks can be actioned by IT, partners, or OEMs.

From the Local Admin perspective, the only interaction required from the end user is to connect to a network and verify their credentials. Everything beyond that is automated.
From the user’s perspective, it only takes a few simple operations to make their device ready for use.

What is the process for pre-provisioning a device?

When you purchase devices from an OEM, that OEM can automatically register the devices with the Windows Autopilot. Reference information to provide to your OEM for Autopilot registration, can be found here

Device Requirements:

  1. The Device Hardware OEM or VAR must be registered on the NHSmail Intune tenant. Please check with the NHSmail Intune team to validate that your manufacturer or VAR is supported.
  2. A supported version of Windows 11 or Windows 10 semi-annual channel is required to use Windows Autopilot.

Azure-AD Join deployment profiles are supported (Hybrid Join via Autopilot is not supported on the NHSmail Intune instance).


Existing devices can also quickly prepare a new user with Windows Autopilot Reset. The Reset capability is also useful in break/fix scenarios to bring a device back to a readiness state quickly.

Supporting guidance is available in the NHSmail Intune LA Operations Guide.

SCCM/MECM integration and Co-Management:

The NHSmail Intune service allows onboarded organisations to Co-Manage devices with SCCM and Intune as well as connect to on-premises Certificate Issuing services for VPNs, Wi-Fi, etc.

For further details on how this can be setup and used by onboarded organisations please see the following article:


Samsung Knox enrolment:

Samsung Knox Mobile Enrolment (KME) is a Zero Touch provisioning solution. This solution fully automates the enrolment of new, or factory reset devices into a Mobile Device Management (MDM) solution such as NHSmail Intune.

For further details on how this can be setup and used by onboarded organisations please see the following article:


First-line RBAC role:

The addition of a first-line support RBAC role to NHSmail Intune allows Local Administrators to provision a restricted administrative role with read-only permissions to an organisation’s Intune configuration (Apps, Config profiles etc), whilst still enabling first-line support workers to conduct remote tasks such as rebooting, wiping, or syncing a device.

Further details can be found in the NHSmail Intune Operations Guide.

Windows 10/11 Device Management Offering: ​

Onboarded organisations can now manage their Windows 10 / 11 devices in 3 ways:

1. Cloud only

Allows devices to be deployed and managed solely through the NHSmail Intune tenant.

2. Cloud + SSO track

Allows devices to be managed in the NHSmail Intune tenant with Local Active Directory User Identity enhancements.

3. Hybrid track

Allows devices to be managed in the NHSmail Intune tenant but remain domain-joined with local Active Directory.

For further details on the 3 Windows device management tracks, including an overview of the necessary prerequisites please see the following category of articles:


Last Reviewed Date 27/02/2023
Updated on 27/02/2023
Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support
back to top